Merge pull request #13 from Keyfactor/ab#65774

v1.1.0

Author: doebrowsk

CHANGELOG.md

@@ -1,3 +1,8 @@
+# v1.1.0
+
+## Features
+- Support for sourcing client config files from Azure Key Vault
+
 # v1.0.0
 
 ## Features

README.md

@@ -151,4 +151,58 @@ servers:
     client_id: client-id
     client_secret: client-secret
     api_path: KeyfactorAPI
+```
+
+## Configuration File Providers
+
+Below are a list of configuration file providers that can be used to load configuration from a file if loading from disk
+is not desired. 
+
+### Azure Key Vault
+
+To use Azure Key Vault as a configuration file provider, the code must either be running in an Azure environment or the
+environment configured with `az login`. The following environment variables can be used and will take precedence over
+any configuration file. *NOTE* that the secret must be formatted as specified in the example configuration files above.
+
+| Name                | Description                           | Default |
+|---------------------|---------------------------------------|---------|
+| AZURE_KEYVAULT_NAME | The name of the Azure KeyVault        |         |
+| AZURE_SECRET_NAME   | The name of the Azure KeyVault secret |         |
+
+#### JSON
+
+Below is an example of a configuration file that uses Azure Key Vault as a configuration file provider. *NOTE* that the
+secret must be formatted as specified in the example configuration files above.
+
+```json
+{
+  "servers": {
+    "default": {
+      "auth_provider": {
+        "type": "azid",
+        "profile": "default",
+        "parameters": {
+          "secret_name": "<akv_secret_name>",
+          "vault_name": "<akv_vault_name>"
+        }
+      }
+    }
+  }
+}
+```
+
+#### YAML
+
+Below is an example of a configuration file that uses Azure Key Vault as a configuration file provider. *NOTE* that the
+secret must be formatted as specified in the example configuration files above.
+
+```yaml
+servers:
+  default:
+    auth_provider:
+      type: azid
+      profile: default
+      parameters:
+        secret_name: <akv_secret_name>
+        vault_name: <akv_vault_name>
 ```

auth_providers/auth_basic.go

@@ -52,13 +52,13 @@ type CommandAuthConfigBasic struct {
 	CommandAuthConfig
 
 	// Username is the username to be used for authentication to Keyfactor Command API
-	Username string `json:"username,omitempty"`
+	Username string `json:"username,omitempty" yaml:"username,omitempty"`
 
 	// Password is the password to be used for authentication to Keyfactor Command API
-	Password string `json:"password,omitempty"`
+	Password string `json:"password,omitempty" yaml:"password,omitempty"`
 
 	// Domain is the domain of the Active Directory used to authenticate to Keyfactor Command API
-	Domain string `json:"domain,omitempty"`
+	Domain string `json:"domain,omitempty" yaml:"domain,omitempty"`
 }
 
 // NewBasicAuthAuthenticatorBuilder creates a new instance of CommandAuthConfigBasic
@@ -194,8 +194,8 @@ func (a *CommandAuthConfigBasic) Authenticate() error {
 		return cErr
 	}
 
-	// create oauth Client
-	authy, err := NewBasicAuthAuthenticatorBuilder().
+	// create Basic Client
+	authy, err := a.
 		WithUsername(a.Username).
 		WithPassword(a.Password).
 		WithDomain(a.Domain).

auth_providers/auth_core.go

@@ -98,7 +98,7 @@ func (f roundTripperFunc) RoundTrip(req *http.Request) (*http.Response, error) {
 // CommandAuthConfig represents the base configuration needed for authentication to Keyfactor Command API.
 type CommandAuthConfig struct {
 	// ConfigType is the type of configuration
-	ConfigType string `json:"config_type"`
+	ConfigType string `json:"config_type,omitempty" yaml:"config_type,omitempty"`
 
 	//ConfigProfile is the profile of the configuration
 	ConfigProfile string
@@ -110,34 +110,34 @@ type CommandAuthConfig struct {
 	FileConfig *Server
 
 	// AuthHeader is the header to be used for authentication to Keyfactor Command API
-	AuthHeader string `json:"auth_header"`
+	AuthHeader string `json:"auth_header,omitempty" yaml:"auth_header,omitempty"`
 
 	// CommandHostName is the hostname of the Keyfactor Command API
-	CommandHostName string `json:"host"`
+	CommandHostName string `json:"host,omitempty" yaml:"host,omitempty"`
 
 	// CommandPort is the port of the Keyfactor Command API
-	CommandPort int `json:"port"`
+	CommandPort int `json:"port,omitempty" yaml:"port,omitempty"`
 
 	// CommandAPIPath is the path of the Keyfactor Command API, default is "KeyfactorAPI"
-	CommandAPIPath string `json:"api_path"`
+	CommandAPIPath string `json:"api_path,omitempty" yaml:"api_path,omitempty"`
 
 	// CommandAPIVersion is the version of the Keyfactor Command API, default is "1"
-	CommandVersion string `json:"command_version"`
+	CommandVersion string `json:"command_version,omitempty" yaml:"command_version,omitempty"`
 
 	// CommandCACert is the CA certificate to be used for authentication to Keyfactor Command API for use with not widely trusted certificates. This can be a filepath or a string of the certificate in PEM format.
-	CommandCACert string `json:"command_ca_cert"`
+	CommandCACert string `json:"command_ca_cert,omitempty" yaml:"command_ca_cert,omitempty"`
 
 	// SkipVerify is a flag to skip verification of the server's certificate chain and host name. Default is false.
-	SkipVerify bool `json:"skip_verify"`
+	SkipVerify bool `json:"skip_verify,omitempty" yaml:"skip_verify,omitempty"`
 
 	// HttpClientTimeout is the timeout for the http Client
-	HttpClientTimeout int `json:"client_timeout"`
+	HttpClientTimeout int `json:"client_timeout,omitempty" yaml:"client_timeout,omitempty"`
 
 	// UserAgent is the user agent to be used for authentication to Keyfactor Command API
-	UserAgent string `json:"user_agent,omitempty"`
+	UserAgent string `json:"user_agent,omitempty" yaml:"user_agent,omitempty"`
 
 	// Debug
-	Debug bool `json:"debug,omitempty"`
+	Debug bool `json:"debug,omitempty" yaml:"debug,omitempty"`
 
 	// HttpClient is the http Client to be used for authentication to Keyfactor Command API
 	HttpClient *http.Client
@@ -731,6 +731,8 @@ func (c *CommandAuthConfig) GetServerConfig() *Server {
 	return &server
 }
 
+type contextKey string
+
 // Example usage of CommandAuthConfig
 //
 // This example demonstrates how to use CommandAuthConfig to authenticate to the Keyfactor Command API.

auth_providers/auth_oauth.go

@@ -1,3 +1,17 @@
+// Copyright 2024 Keyfactor
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
 package auth_providers
 
 import (
@@ -72,40 +86,34 @@ type CommandConfigOauth struct {
 	CommandAuthConfig
 
 	// ClientID is the Client ID for OAuth authentication
-	ClientID string `json:"client_id,omitempty"`
+	ClientID string `json:"client_id,omitempty" yaml:"client_id,omitempty"`
 
 	// ClientSecret is the Client secret for OAuth authentication
-	ClientSecret string `json:"client_secret,omitempty"`
+	ClientSecret string `json:"client_secret,omitempty" yaml:"client_secret,omitempty"`
 
 	// Audience is the audience for OAuth authentication
-	Audience string `json:"audience,omitempty"`
+	Audience string `json:"audience,omitempty" yaml:"audience,omitempty"`
 
 	// Scopes is the scopes for OAuth authentication
-	Scopes []string `json:"scopes,omitempty"`
+	Scopes []string `json:"scopes,omitempty" yaml:"scopes,omitempty"`
 
 	// CACertificatePath is the path to the CA certificate for OAuth authentication
-	CACertificatePath string `json:"idp_ca_cert,omitempty"`
+	CACertificatePath string `json:"idp_ca_cert,omitempty" yaml:"idp_ca_cert,omitempty"`
 
 	// CACertificates is the CA certificates for authentication
 	CACertificates []*x509.Certificate `json:"-"`
 
 	// AccessToken is the access token for OAuth authentication
-	AccessToken string `json:"access_token,omitempty"`
+	AccessToken string `json:"access_token,omitempty" yaml:"access_token,omitempty"`
 
 	// RefreshToken is the refresh token for OAuth authentication
-	RefreshToken string `json:"refresh_token,omitempty"`
+	RefreshToken string `json:"refresh_token,omitempty" yaml:"refresh_token,omitempty"`
 
 	// Expiry is the expiry time of the access token
-	Expiry time.Time `json:"expiry,omitempty"`
+	Expiry time.Time `json:"expiry,omitempty" yaml:"expiry,omitempty"`
 
 	// TokenURL is the token URL for OAuth authentication
-	TokenURL string `json:"token_url,omitempty"`
-
-	//// AuthPort
-	//AuthPort string `json:"auth_port,omitempty"`
-
-	//// AuthType is the type of OAuth auth to use such as client_credentials, password, etc.
-	//AuthType string `json:"auth_type,omitempty"`
+	TokenURL string `json:"token_url,omitempty" yaml:"token_url,omitempty"`
 }
 
 // NewOAuthAuthenticatorBuilder creates a new CommandConfigOauth instance.
@@ -372,7 +380,7 @@ func (b *CommandConfigOauth) ValidateAuthConfig() error {
 		}
 	}
 
-	if b.Scopes == nil || len(b.Scopes) == 0 {
+	if len(b.Scopes) == 0 {
 		if scopes, ok := os.LookupEnv(EnvKeyfactorAuthScopes); ok {
 			// split the scopes by comma
 			b.Scopes = strings.Split(scopes, ",")
@@ -424,6 +432,7 @@ func (b *CommandConfigOauth) GetServerConfig() *Server {
 		Port:          b.CommandPort,
 		ClientID:      b.ClientID,
 		ClientSecret:  b.ClientSecret,
+		AccessToken:   b.AccessToken,
 		OAuthTokenUrl: b.TokenURL,
 		APIPath:       b.CommandAPIPath,
 		Scopes:        b.Scopes,